Apple exec used personal e-mail to avoid detection ... and so do IT professionals, says survey

Most IT professionals share one thing with the Apple manager accused of accepting millions in bribes and kickbacks, a firm that develops secure file transfer software said today.

They use private e-mail accounts to transfer confidential company information.

"Not only is it common, but it's startling in its frequency," said Hugh Garber, a product manager at Lexington, Mass.-based Ipswitch.

According to Ipswitch, which surveyed attendees at the Infosecurity Europe conference held in London last April, more than two-thirds of IT professionals admitted sending classified company information, including customer data and financial information, via personal e-mail at least once a month. Over a third do so daily.

More disturbing, said Garber, was that 40% of those polled said that they used personal e-mail accounts to avoid any audit trail of what was sent and to whom.

"Of course, most of that privileged information misuse is not malicious," said Garber. "Many of the times, it's your hardest-working employees just trying to get the job done."

Workers turn to personal e-mail accounts because they see them as a faster, easier way to transfer data than company-provided accounts, which typically have size limits on attachments, said Garber. But it's also obvious that some want to mask the data transfers from management, he added.

That's exactly what Apple has accused one of its employees of doing.

In a civil lawsuit filed last Friday in a San Jose, Calif., federal court, Apple charged Paul Shin Devine, a global supply manager in charge of procuring iPhone and iPod component parts, with taking more than $1 million in bribes and kickbacks from half a dozen Asian suppliers over a three-year period.

Devine has also been indicted on 23 criminal counts by a federal grand jury, and is currently being held in custody. He now faces a bail hearing next Monday, Aug. 23, on those charges. Earlier this week, Devine pleaded not guilty to all counts.

Apple's lawsuit alleged that Devine used personal accounts on Windows Live Hotmail and Gmail, the Web-based services operated by Microsoft and Google, respectively, to avoid suspicion as he managed a complex bribery scheme.

According to the lawsuit, Apple first discovered Devine's kickback operation in April after imaging the hard drive of his company-supplied notebook, where it found a cache of Hotmail and Gmail messages that allegedly showed he provided suppliers with confidential information they used to secure contracts with Apple.

In several instances, Devine supposedly told his supplier contacts not to e-mail him at his Apple-provided address. "Please avoid use that email as Apple IT team will randomly scan emails for suspicious email communications on forecast, cost and new model information," Devine told one supplier in September 2008, the lawsuit claimed.

Apple argued that it not only had no idea of Devine's scheme, but that it could not have known.

"Apple did not discover and could not have discovered through the exercise of reasonable diligence the factual basis of the causes of action alleged herein at any earlier point in time," the lawsuit stated. "Devine made extensive efforts to conceal his unlawful acts."

Garber had to agree. "This employee was using a tool [the Hotmail and Gmail accounts] outside of Apple's control," he said.

Like many other companies, Apple may have had policies in place that forbid employees from using personal accounts for business purposes, but that rarely stops people. "Its easy [for companies] to say you can't do things," Garber said. Enforcement is the tougher part of the equation.

"Unless IT teams policies with a tool that employees can use, they'll take methods into their own hands," he said, referring to transferring data via personal e-mail accounts, unsanctioned flash drives, or even CDs and DVDs.

Garber pitched Ipswitch's file transfer software as a solution, including its Outlook plug-in that lets users send what he called "ginormous" files but that allows IT to maintain an audit trail for compliance purposes.

"In an ideal situation, employees wouldn't be able to use personal e-mail accounts at work," said Garber. "But the survey showed that even IT people are swayed by the same reasons as anyone else. They're having problems with speed and convenience, too, and don't want to jump through hoops to transfer information."